049.md

Festive Fuchsia Shell

High

Receipt NFTs will be permanently locked inside buyOrder when a user fills a buy order

Summary

When a user chooses to sell their NFT through sellNFT, the function transfers the wanted token into the contract. The problem is there is no way to retrieve this NFT from the contract and the user will be unable to fulfill their buy order leaving the NFT permanently locked in the contract.

Root Cause

When the seller calls sellNFT with the receipt ID they wish to sell, it is transferred into the buyOrder contract.

IERC721(buyInformation.wantedToken).transferFrom(
            msg.sender,
            address(this),
            receiptID
        );

The problem is that currently there is no way for the creator of this buy order to receive their NFT. This is because there is no implementation within the contract that allows for the transfer to the buyer.

Internal pre-conditions

No response

External pre-conditions

No response

Attack Path

1. User creates a buy order throughbuyOrderFactory
2. A user fulfills this order which transfers the NFT into the buyOrder contract
3. NFT is locked permanently

Impact

Critical- complete loss of the receipt and loss of funds to the buyer

PoC

No response

Mitigation

Implement some logic to either transfer directly to the buyer, or transfer from the contract to the buyer.